On Mon, 24 Aug 2009 10:33:31 -0500, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 8/24/2009 9:51 AM, Julien Vehent wrote: >> Hello guys, >> >> This is my first email on the list, so I hope it doesn't break any rule >> :) >> >> I've been playing around with my postfix logs to evaluate the percentage >> of MTA that are using STARTTLS when sending me emails. >> >> The result is pretty interesting, because some MTA are using TLS, but not >> all the time. It appears that the MTA will start the TLS connection once >> in >> a while, and the rest of the time it won't (the opposite works too ;) ). >> >> I suppose it's just me who is not understanding something properly... >> sorry for the noise, but if somebody could explain :) >> >> >> Here is an example with a mailing list server: >> >> First log: >> ------ >> Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: initializing the server-side >> TLS engine >> Aug 22 07:52:12 zerhuel postfix/smtpd[2109]: connect from >> <MAILING_LIST_MTA>[1.2.3.4] >> ------ >> >> We clearly see the initialization of the TLS connection. But the day >> before, the log was different : >> >> ------ >> Aug 21 12:05:37 zerhuel cyrus/imaps[10051]: open: user XXXXXX opened >> INBOX >> >> Aug 21 12:05:41 zerhuel postfix/smtpd[10055]: connect from >> <MAILING_LIST_MTA>[1.2.3.4] >> Aug 21 12:05:41 zerhuel postgrey[3113]: action=pass, reason=triplet >> found, >> client_name=<MAILING_LIST_MTA>, client_addres >> s=1.2.3.4, >> sender=<MAILINGLIST>+bounces-3062-julien=linuxwall.info@<MAILINGLIST>.org, >> recipient=jul...@linuxwall.info >> ------ >> >> No TLS initialization here. And I don't think this is a TLS cache issue, >> because at some other times, I see very close connections that both >> perform >> the TLS initialization : >> >> first one : >> ----- >> Aug 21 06:18:03 zerhuel postfix/smtpd[26217]: initializing the >> server-side >> TLS engine >> Aug 21 06:18:04 zerhuel postfix/smtpd[26217]: connect from >> <MAILING_LIST_MTA>[1.2.3.4] >> ----- >> >> second one : >> ----- >> Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: initializing the >> server-side >> TLS engine >> Aug 21 06:23:51 zerhuel postfix/smtpd[26478]: connect from >> <MAILING_LIST_MTA>[1.2.3.4] >> ----- >> >> I see this behavior in, at least, 30 MTAs in my logs (within a week) on a >> total of about 220. >> >> >> I run a pretty small infrastructure with two servers running Postfix >> 2.5.5-1.1 on Debian Lenny. >> My SMTPD TLS configuration is : >> >> ------ >> smtpd_tls_CAfile =<xxxxx> >> smtpd_tls_CApath = >> smtpd_tls_always_issue_session_ids = yes >> smtpd_tls_ask_ccert = yes >> smtpd_tls_auth_only = yes >> smtpd_tls_ccert_verifydepth = 9 >> smtpd_tls_cert_file =<xxxxx> >> smtpd_tls_dcert_file = >> smtpd_tls_dh1024_param_file = >> smtpd_tls_dh512_param_file = >> smtpd_tls_dkey_file = $smtpd_tls_dcert_file >> smtpd_tls_exclude_ciphers = >> smtpd_tls_fingerprint_digest = md5 >> smtpd_tls_key_file =<xxxxx> >> smtpd_tls_loglevel = 2 >> smtpd_tls_mandatory_ciphers = medium >> smtpd_tls_mandatory_exclude_ciphers = >> smtpd_tls_mandatory_protocols = SSLv3, TLSv1 >> smtpd_tls_received_header = yes >> smtpd_tls_req_ccert = no >> smtpd_tls_security_level = may >> smtpd_tls_session_cache_database = btree:<xxxxx> >> smtpd_tls_session_cache_timeout = 3600s >> smtpd_tls_wrappermode = no >> ------ >> >> >> Any idea of what this is due to ? > > That message does not indicate a TLS connection. Try using > smtpd_tls_loglevel = 1 > for a clear indication of when TLS is in use without the noise. > > -- Noel Jones
OK, I did. I will look more closely at the logs to check that again. But, what does this message indicates if not a TLS connection ? Thanks, Julien
